Conditional access and blocking downloads

This week is all about using conditional access for blocking downloads. I already did something similar before by using app enforced restrictions for Exchange Online and SharePoint Online. This time I’m going to take it one step further by looking at recently adjusted functionality for Conditional Access App Control. Conditional Access App Control enables administrators to control user sessions by redirecting the user through a reverse proxy instead of directly to the app. From then on, user requests and responses go through Cloud App Security rather than directly to the app. This creates an additional layer that can be used to filter actions. In this blog post I’ll start with a short introduction about Conditional Access App Control, followed by the configuration steps and the end-user experience.

Note: Cloud App Security can be licensed as part of EMS E5 or as a standalone service.

Introduction

Now let’s start with a short introduction about Conditional Access App Control. Conditional Access App Control uses a reverse proxy architecture and is directly integrated with conditional access. Conditional access enables administrators to route users to Cloud App Security, where data can be protected. That can be achieved by applying Conditional Access App Control session controls. That created route enables user app access and sessions to be monitored and controlled in real time, based on access and session policies in Cloud App Security. Those policies can also be used to further refine filters and set actions to be taken on a user. In other words, Conditional Access App Control enables administrators to control user sessions by redirecting the user through a reverse proxy instead of directly to the app.

Configuration

Let’s continue by having a look at the configuration options, by looking at a specific scenario. That scenario is blocking downloads on unmanaged devices, for any supported cloud app. The following seven steps walk through that scenario. After the creation of the conditional access policy, it can be assigned to a user group like any other conditional access policy.

1 Open the Azure portal and navigate to Microsoft Intune > Conditional access > Policies or to Azure Active Directory > Conditional access > Policies to open the Conditional Access – Policies blade;
2 On the Conditional Access – Policies blade, click New policy to open the New blade;
3a

CAS-UsersGroups-IncludeOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade,, on the Include tab, select All users and click Exclude to open the Exclude tab;

Explanation: This configuration will make sure that this conditional access policy is applicable to all users.

3b

CAS-UsersGroups-ExcludeOn the Exclude tab, select Directory roles (preview) > Global administrator and click Done to return to the New blade;

Explanation: This configuration will make sure that this conditional access policy will exclude global administrators.

4

CAS-CloudApps-IncludeOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, on the Include tab, select All cloud apps and click Done to return to the New blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to all connected cloud apps.

5a

CAS-DeviceState-IncludeOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Device state (preview) to open the Device state (preview) blade. On the Device state (preview) blade, click Yes with Configure, on the Include tab, select All device state and and click Exclude to open the Exclude tab;;

Explanation: This configuration will make sure that this conditional access policy is applicable to all device states.

5b

CAS-DeviceState-ExcludeOn the Exclude tab, select Device Hybrid Azure AD joined, select Device marked as compliant and click Done to return to the New blade;

Explanation: This configuration will make sure that this conditional access policy will exclude managed and compliant devices.

6

CAS-Session-CAACOn the New blade, select the Session access control to open the Session blade. On the Session blade, select Use Conditional Access App Control, select Block downloads (preview) and click Select to return to the New blade;

Explanation: This configuration will make sure that this conditional access policy will block downloads for the assigned users, from the assigned cloud apps, on unmanaged devices. The latest options within this configuration are the built-in options Monitor only and Block downloads, which are both still in preview and Use custom policy…. The latter option requires a custom policy within Cloud App Security. The other options two basically provide preconfigured options, of which Block downloads provides the behavior that I need for this scenario.

7 Open the New blade, select On with Enable policy and click Create;

Note: Conditional Access App Control supports any SAML or Open ID Connect app that is configured with single sign-on in Azure AD, including these featured apps.

End-user experience

Now let’s end this blog post by having a look at the end-user experience. Below are example for the behavior with SharePoint Online and Exchange Online. I deliberately choose those apps, to show the difference in end-user experience compared to using app enforced restrictions (which I mentioned in the beginning of this post). The big difference is that app enforced restrictions are handled by the app, while this configuration is handled by Cloud App Security.

Below on the left is an example of the end-user accessing SharePoint Online on an unmanaged device. The end-user receives a clear message that the access is monitored. Below on the right is an example of the end-user trying to download a file from SharePoint Online, while being directed via Cloud App Security. The end-user receives a clear message that the download is blocked.

CAS-Example-SPO01 CAS-Example-SPO02

Below are similar examples for Exchange Online. On the left the message that the end-user receives when access Exchange Online on an unmanaged device and on the right the message that the end-user receives when trying to download an email attachment.

CAS-Example-EXO01 CAS-Example-EXO02

More information

For more information regarding Cloud App Security and conditional access, please refer to the following articles:

24 thoughts on “Conditional access and blocking downloads”

  1. Does MCAS solution outlined support a scenario where you want a certain subset of guest users to be able to download against a specific set of SPO Sites or MS Teams?

    Reply
  2. Hi Peter

    Is there functionality/options to prevent the user from opening the documents from online One Drive/SharePoint etc.. on the desktop application(s) for example a Word document in One drive and open in Word desktop, by selecting this option the user is able to then select save as and then save to local machine regardless which subsequently over-rides the download option as basically this is bypassing it?

    Reply
  3. Great article Peter.

    Personally don’t see the point of this functionality since i can use Sharepoint permissions and RMS to not allow people download documents from Sharepoint.

    Did you have any luck with the new feature allowing non global admins to view Bitlocker Keys in Intune.
    An article on that will be great :).
    I tried my luck with Microsoft support but they blew me off since the feature is still in preview.

    Reply
    • Thank you, Egert. It’s all about preference and use case.

      Regarding your BitLocker question; I haven’t really looked into that, but I might. Having said that, no timetables and no guarantees 🙂

      Regards, Peter

      Reply
  4. Hello Peter,

    Thanks for the article, really helpful for a newbie like me.

    I have a basic question. We currently have AAD P1 and I have followed all the steps, but still the test user is able to download attachments from Outlook. To implement the above setup do we need Microsoft Cloud App Security + EMS 3 licensing?

    Any help is highly appreciated.

    -Thanks
    Haneesh

    Reply
  5. In our environment when I apply to “All Users” it BLOCKS downloads on-prem coporate devices. This is not the behaviour I want. However when I select each user selectivielty one by one it gives the correct behvaiour does on BLOCK devices for on prem, any ideas how to fix this? or is this known issue?

    Reply
  6. Hi
    I got a trial of M365 Business and i am trying to set this up however it just does not enable.
    Do you know if Cloud app security comes part of this license and it is a requirement to use this CA session control?

    Regards
    Wasim

    Reply
  7. This is great thanks!! Although I have worked out that you can still download a spreadsheet or word doc if you select “Open In Desktop App”, having said that it isn’t in my downloads folder. Does it just pull down a temp file for editing in the desktop app that isn’t available offline?

    Reply
  8. Thanks for this articles, how about upload file?
    that need for securing file specially source code so user can not upload these file.

    Reply
  9. Hi, Thanks for the article. After applying conditional access to block download, I am unable to move files from OneDrive, is this expected ?

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.